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Abstract. We investigate the decidability and complexity status of model-checking prob- 
lems on unlabelled reachability graphs of Petri nets by considering first-order and modal 
languages without labels on transitions or atomic propositions on markings. We consider 
several parameters to separate decidable problems from undecidable ones. Not only are 
we able to provide precise borders and a systematic analysis, but we also demonstrate the 
robustness of our proof techniques. 



Decision problems for Petri nets. Petri nets are among the oldest families of generators of 
infinite state systems, and much effort has been dedicated to their algorithmic analysis. For 
Petri nets, the reachability problem is hard but decidable [35]. Further important prob- 
lems that are specific to Petri nets and that were shown decidable are boundedness [29} [38]. 
deadlock- freeness and liveness [20] (by reduction to reachability), persistence [H], and semi- 
linearity [22]. Hack's thesis [20j provides a comprehensive overview of problems equivalent 
to Petri net reachability. On the negative side, language equality is undecidable for labelled 
Petri nets [21] [1], but it can be decided for injectively labelled as well as for labelled and 
deterministic Petri nets [S^ (by a reduction to reachability). Another undecidability result 
for Petri nets, obtained by Rabin [3] and Hack [21] . is that equality of reachability sets 
of two Petri nets with identical places is undecidable. As our main contribution, we link 
this result to first-order logic expressing properties of general Petri net reachability graphs. 

1998 ACM Subject Classification: F.1.1, F.4.1. 
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We provide a robust proof schema that entails undecidabihty of most logical fragments 
interpreted on such graphs. 

Our motivations. For Petri nets, model checking CTL formulae with atomic propositions 
of the form p > (place p contains at least one token) is known to be undecidable |13] . 
This negative result carries over to all fragments of CTL containing the modalities EF 
or AF. Furthermore, model checking CTL without atomic propositions but with next- 
time modalities indexed by action labels is undecidable too [13]. In contrast, LTL model- 
checking over vector addition systems with states is ExpSPACE-complete [19J when atomic 
propositions refer to control states. 

These negative results do not compromise the search for decidable fragments of first- 
order logic that describe, only purely graph-theoretically, the shape of the Petri net state 
graphs. So we intentionally avoid edge labels and atomic propositions interpreted on mark- 
ings. As an example, we shall consider the first-order structure (N",— >■) derived from a 
Petri net with n places such that M — > M' iff M evolves to M' by firing a transition 
of A^. Since (N",— >) is an automatic structure, its first-order theory over predicates — >■ 
and = is decidable, see e.g. [6]. This decision procedure can be extended to Petri net state 
graphs with Presburger-definable predicates on markings and with labels on transitions. As 
a second example of results related to our work, given a formula <p in F0(— )•, =) with free 
variables xi, . . . ,Xm, one can effectively construct a Presburger formula that characterizes 
exactly the markings satisfying if in (N",— ?>). 

However, it is unclear what happens if we consider the first-order theory of — )• over 
the practically interesting structure (Reach(A), — )•). Here, Reach(A) denotes the set of all 
markings reachable from the initial marking of Petri net N. Our paper studies this problem. 
We investigate the decidability status of several first-order logics, sometimes extended by 
a bit of MSO (via reachability predicates), sharing with [40j a common motivation. The 
properties of the reachability graph we are interested in are purely graph-theoretical in that 
they do not refer to tokens or transition labels and they are mostly local in that we often 
restrict ourselves to — > instead of its transitive closure. As summarised in Tabled] (Section[5]) 
we settle the decidability status of most problems. To the best of our knowledge, this is the 
first study of logics for the reachability graph. In particular, related logics in [3] consider 
quantitative properties on markings and transitions, and evaluate formulae on runs. We do 
not refer to tokens or to transition labels. 

Our contributions. We investigate the model-checking problem over structures of the form 
(Reach(A), — >, A-) generated from Petri nets N with first-order languages including pred- 
icate symbols for — > and/or A. We consider variants depending on the predicates and 
on whether Reach(A) or A- are effectively semilinear. This allows us to provide a refined 
analysis about the decidability borders for such problems. As it is a classical fragment 
of first-order logic, we also consider the modal language ML(n,n^^) with forward and 
backward modalities. Let us mention some features of our investigation: 
(1) Undecidabihty proofs are obtained by reduction from the equality problem (or the in- 
clusion problem) between reachability sets defined by Petri nets, shown undecidable 
in [H [21]. We demonstrate that our proof schema is robust and can be adapted to 
numerous formalisms specifying local properties as in first-order logic. Moreover, un- 
decidabihty can be obtained even for a fixed formula (i.e., for a fixed property). 
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(2) To determine the cause of undecidability, we investigate logical fragments. At the same 
time, we strive for maximally expressive decidable fragments. With these two goals, 
our study on graph-theoretical properties is quite systematic. 

(3) For decidable problems, we assess the computational complexity — either relative to 
standard complexity classes such as P Space or ExpSpace or by establishing a reduction 
from the reachability problem for Petri nets (when decision procedures rely on solving 
instances of this problem). 

Our main findings are as follows (refined statements can be found in the body of the paper, 
see also Table [Din Section [5]): 

-k Model-checking (Reach(A^), — >) [resp. (Reach(A^), — >), (Reach(Af), — >)] is undecidable for 

the corresponding first-order language with a single binary predicate symbol. 
★ Undecidability is also shown for the positive fragment of F0(— >■), for the forward frag- 
ment of F0(— >), and for F0(— )■) augmented with The latter result even holds if the 
reachability sets are effectively semilinear. 
•k Combining procedures for coverability and reachability in Petri nets, we obtain some 
positive results. We prove that model-checking the existential fragment of F0(— >) is 
decidable, but as hard as the reachability problem for Petri nets. Moreover, the model 
checking problem is decidable for F0(— >, =) under the assumption that the relations 
— > and A- are semilinear (consequence of [6]). We have not found any decision result 
between these two extremes. 
•k Concerning the modal language ML(n,n~^), the global model-checking problem on 
(Reach(A'"), — >) is undecidable but it becomes decidable when restricted to ML(n) (even 
if extended with Presburger-definable predicates on markings) ; the latter problem is also 
as hard as the reachability problem for Petri nets. 
One may regret that our main results turn towards undecidability but this was not clear 
at all when we began our study. On the positive side, we were able to identify non-trivial 
fragments for which the decision problems can be of high computational complexity. Our 
results shed some new light on the verification of structural properties on unlabelled net 
reachability graphs. 

Structure of the paper. The remaining sections are organized as follows. Section 2 brings 
the background of the study. Section 3 presents results that focus on the reachability 
graph without the reachability predicate. Section 4 presents those involving the reachability 
predicate. 

2. Preliminaries 

We recall basics on Petri nets and semilinear sets and we give the standard definitions 
and fundamental results used in the paper. We first introduce the notations needed when 
considering Petri net reachability graphs as models for first-order sentences. Then, we define 
first-order logic and modal logic interpreted on graphs induced by Petri nets. Finally, we 
present positive decidability results about model-checking problems. 
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2.1. Petri nets. A Petri net is a bi-partite graph = {P,T, F, Mq), where P and T are 
finite disjoint sets of places and transitions, and F : (P x T) U (T x P) — )• N is a set of 
directed edges with non-negative integer weights. A marking of A^ is a function M : P — > N. 
Mq is the initial marking of A^. A transition t G T is enabled at a marking M, written M[t), 
if M{p) > F(p, t) for ah places p (z P. If t is enabled at M then it can be fired. This leads 
to the marking M' defined by M'{p) = M{p) + F(t,p)—F{p,t) for all p £ P. The firing 
relation is denoted by M[t)M'. The definitions are extended to transition sequences s € T* 
in the expected way. A marking M' is reachable from a marking M if M[s)M' for some 
s G T*. A transition t is in self-loop with a place p iff F{p,t) = F(t,p) > 0. A transition is 
neutral if it has null effect on all places. The reachability set Reach(A^) of A^ is the set of 
all markings that are reachable from the initial marking. 

Theorem 2.1. [35] Given a Petri net N and two markings M and M' , one can decide 
whether M' is reachable from M . 

Theorem 2.2. [11|2T] Given two Petri nets N and N' , it is undecidable whether l!ieach{N) = 
Reach(A^') [resp. Reach(Ar) C Reach(A^')y- 

A stronger version of Theorem 12.21 has been established in [28] where it was shown that 
undecidability still holds when A^ and A^' have five places and one of these nets is fixed. 

A Petri net A^ = (P, T, F, Mq) induces several standard structures on which first-order 
logics may be interpreted. The plain unlabelled reachability graph of A^ is the structure 
PURG(A^) = (!?,—>) where D = Reach(A^) and — > is the binary relation on D defined 
by M ^ M' if M[t)M' for some t & T. Note that Mq G D but no predicate is given 
to identify this specific marking. The unlabelled reachability graph of A^ is the structure 
URG(A^) = {D,init,^,^,^,=) where init = {Mq}, and relations A- and ^ are the 
iterative and strictly iterative closures of — >, respectively. The unlabelled transition graph 
of A^ is the structure UG(A^) = (N-^, init, ->, A, ^, =) where M -> M' if M[t)M' for some 
transition t G T. Note that reachability of markings is not taken into account in UG(A^). 
In the sequel, by default card(P) = n and we identify and N". We also call 1-loop an 
edge M ^ M' with M = M'. 

2.2. Petri nets and semilinear sets. We rely on results about the semilinear subsets 
of N" that represent possible markings of a Petri net with n places. Recall that (N"", +) 
is a commutative monoid where the product operation is the componentwise addition of 
n-vectors (+) and the neutral element is the null n-vector. 

A subset P C is called linear if it can be expressed as x + {yi, . . . , ym}* for vectors 
X G N" and yi, . . . , ym G N". The Kleene iteration {yi, . . . , ym}* is a shorthand notation 
for kiyi + . . . + kmym for some ki, . . . , km G N. A subset E C N" is semilinear if it is 
a finite union of linear subsets. Owing to the commutativity of the product operation 
+, semilinear subsets of N" coincide with the regular subsets of N". Hence, they are 
generated by finite automata over N". Indeed, one can always choose finite automata 
whose transitions are labelled with generators, i.e., with n-vectors with a single non-null 
entry equal to 1. The semilinear subsets of N"" form an effective Boolean algebra [16], 
hence providing decision procedures for emptiness. In [T7], Ginsburg and Spanier gave an 
effective correspondence between semilinear subsets and Presburger subsets, i.e., subsets 
of N" definable in Presburger arithmetic. Presburger arithmetic can be decided in triple 
exponential time [8]. 
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Proposition 2.3. Given a Petri net N = (P, T, F, Mq) and a semilinear subset of markings 
E C N'^I, one can decide whether (some marking in) E can he reached from Mq. 

Hack reduced this semilinear reachability problem to the reachability problem in Petri 
nets |2H Lemma 4.3]. The proposition now follows with the decidability of reachability in 
Theorem 12.11 The statement shows in particular that for any marking M G N'^', one can 
decide whether a marking greater than or equal to M is reachable. 

We recalled in the introduction that it is decidable whether the reachability set of a 
Petri net system is semilinear. Note that semilinearity of the reachability set Reach(A^) does 
not entail semilinearity of the reachability relation A- C Reach(A^) x Reach(A^) C N'^'^'^L 
Here are some classes of Petri nets and counter systems for which the reachability relation 
A- is effectively semilinear (apart from bounded Petri nets): 
-k Cyclic Petri nets, see e.g. [21191132]. 
-k Communication- free Petri nets [12] ■ 

-k Vector addition systems with states of dimension 2 [251 123] . 

-k Single-path Petri nets [26] . 

-k Petri nets with regular languages [Hj. 

* Flat affine counter systems with the finite monoid property [71 114]. 

* Flat relational counter systems [111 flO] . 
-k Reversal-bounded counter systems [27] . 

Some of these results require complex machinery but they are essential to use the decision 
procedures based on effective semilinearity. 

2.3. First-order languages. To specify properties of structures URG(A^), PURG(A^) and 
UG(A^) obtained from a Petri net A^, we introduce a first-order logic FO with atomic 

predicates x— )-y, x— 7>y, x— )-y and init(x). Formulae in FO are defined by 

X— [ X— >y I x^y | init{x) | x = y [ -19? [ (p f\(p \ 3x^9 | Vxy?. 

Given a set P of predicate symbols from the above signature, we denote the restriction of 
FO to the predicates in P by FO(P). By default, FO refers to the full language. Formulae 
are interpreted either on PURG(7V), URG(iV) or UG(iV). Observe that FO on UG(iV) 
enables, using init and reachability predicates, to relativize formulae to URG(A^), but 
restricted logical languages motivate the existence of both structures. It is worth noting 
that by slight abuse, we sometimes use the same notation for a predicate symbol and its fixed 
interpretation. Note that, as regards interpretation. A- = (= U A) and A = (— )• o A), hence 
FO(zmt, — >, A, =), FO(imt, — >, A, =), and FO(mit, — >, A, A, =) are equally expressive. 

FO indicates that one can quantify over markings. Note that predicates — > or — ?> exceed the 
expressiveness of usual first-order logics on graphs. We omit the standard definition of the 
satisfaction relation U,w ^ Lp with U a structure (PURG(iV), URG(iV) or UG(A^)) and v 
a valuation of the free variables in (p. For example, Vx 99 holds true whenever the formula 
99 holds true for all elements (markings) of the considered structure. Sentences are closed 
formulae, i.e., without free variables. liU \= (p then lA is called a model of p. 

It is worth noting that FO can only describe graph-theoretical properties of the struc- 
tures lA, apart from equality tests. The binary relations do not use transitions of nets as 
labels and no atomic propositions give reference to markings. As a consequence, quantita- 
tive properties about markings cannot be expressed in FO, at least in the obvious way, and 
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constraints about the firing of specific transitions cannot be expressed either. Note that FO 
is not minimal when it comes to expressiveness. The redundancies, however, help us design 
interesting logical fragments. 

In the sequel, we consider several model-checking problems. The model-checking problem 
^qURG(po) is stated as fohows: 

input:: a Petri net N = (P, T, F, Mq) and a sentence 93 G FO 
question:: URG(iV) ^ tp? 

The variant MCU^(FO) is: 

input:: a Petri net N = (P, T, F, Mq) and a sentence (p G FO 
question:: UG(iV) ^ ip7 

The logics FO(P) (atomic formulae restricted to predicates in P) induce restricted variants 
of the two model checking problems that we denote by MC'^^*^(FO(P)) and MC^'^(FO(P)), 
respectively. Formulae in FO can express standard structural properties, for instance 
deadlock-freeness with Vx 3y x — ?> y, existence of a 1-loop with 3x x — t- x, or cyclicity 
with VxVy x A y =^ y A x. Automatic structures form a large class of structures having 
a decidable model checking problem for FO. These structures have presentations in which 
/c-ary relations are defined by synchronous automata (see p] for more details). 

Theorem 2.4. [6] Let S be an automatic structure, then MC'^(FO) is decidable. 

From [16], semilinear sets and semilinear relations are automatic. In particular, this 
means that (N",— >,=) is automatic. Propositions 12.5] 12.61 and 12.71 are consequences of 
Theorem 12. 4t they are provided below to present more explicitly what is the current state 
of knowledge. 

Proposition 2.5. MC"'^(FO(->, =)) is decidable. 

Note that given ip in F0(— >,=), one can effectively build a Presburger formula that char- 
acterizes exactly the valuations satisfying ip in UG(A^). Decidability is preserved with 
Presburger-definable properties on markings and with labelled transition relations [t). How- 
ever, having N" as a domain does not always guarantee decidability, see the undecidability 
result in [401 Theorem 2] about a structure with domain N" but equipped with succes- 
sor relations for each dimension and with reachability predicates constrained by regular 
languages. Likewise, subproblems of MC^^'~'(FO) may require additional assumptions to 
achieve decidability, as the semilinearity assumption made in the statement below. The 
proposition also follows from Theorem 12.41 

Proposition 2.6. Let C be a class of Petri nets for which the restriction on reachable 
markings of the reachability relation x A- y is effectively semilinear. Then, MC^^'^(FO) 
restricted to C is decidable. 

Proof. Let = {P,T, F, Mq) be a Petri net in C with card(P) = n. We represent its 
markings by vectors M G N". By assumption, Reach(A) and the set {{M,M') \ M,M' G 
Reach(A'') and M A M'} are effectively semilinear. Similarly, the set {{M,M)\M G 
Reach(A^)} is effectively semilinear. Define A = {(M, M') \M,M' G Reach(iV) and M A 
M', M ^ M'}. Then A is effectively semilinear. Let A^ = {(M,M') | (3M") {M,M") G 
A and (M", AI') G A}. As semilinear sets are closed under projection (quantifier elimination 
in Presburger arithmetic), A^ is effectively semilinear. Now {{M,M') \ M G Reach(A) and 
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M — >■ M'} is equal to AuA^. Hence this set is effectively semilinear. Therefore, through the 
effective correspondence between semilinear sets and sets definable in Presburger arithmetic, 
any sentence (p of FO translates to a sentence of Presburger arithmetic logic such that 
URG(A^) ^ (/9 if and only if ^p' is true. The proposition follows from the decidability of 
Presburger arithmetic [39j. □ 

When reachability sets are effectively semilinear but the reachability relation is not, the 
strictly less expressive logical fragment F0(— >,=) remains decidable, from Theorem 12.41 

Proposition 2.7. Let C he a class of Petri nets N for which Reach(A^) is effectively semi- 
linear. Then, MC^^'^(FO(— >, =)) restricted to C is decidable. 

Proof. Consider a Petri net = {P,T, F, Mq) in C. Assume the Presburger formula 
(p{xi, . . . ,Xn) characterizes Reach(A^) where |P| = n. There is a second Presburger for- 
mula (/?'(xi, . . . ,Xn,x[, . . . ,x^) that characterizes the binary relation — )• in UG(A^). 

Given a sentence ip in F0(— >, =), one can build a sentence f{ip) in Presburger arithmetic 
such that URG(A^) \= ip iS f{ip) is satisfiable in Presburger arithmetic. The map /(•) is 
homomorphic for Boolean connectives. Furthermore, 

^ /(z = z') A z,, = z^, 

je[i,n] 

* /(Vz x) =^Vzi, . . . ,z„ ((/?(zi, . . . ,z„) ^ fix)). 

To evaluate predicate we resort to (p' . With ip, we relativize the quantifiers to taking 
only positions in Reach(A^) into account. □ 

Again, decidability is preserved with Presburger-definable properties on markings and 
with labelled transition relations of the form A. To give an example application of this 
result, MC^^*^(FO(— >, =)) restricted to cyclic Petri nets is decidable. This follows from 
Proposition 12.71 combined with the fact that cyclic Petri nets have semilinear reacha- 
bility sets [9j. The restriction to language F0(— )>,=) is essential for the decidability in 
Proposition 12.71 As we shall see in Proposition 14. 5^ the related model checking problem 
MCURG(FO(->, A)) is undecidable — even under the assumption of semilinearity for the 
reachability sets. 

2.4. Standard first-order fragments: modal languages. By moving along edges, 
modal languages provide a local view to (potentially labelled) graph structures. Note the 
contrast to first-order logic in which one quantifies over any element of the structure. Appli- 
cations of modal languages include modelling temporal and epistemic reasoning, and they 
are central for designing logical specification languages. In this paper, we consider sim- 
ple modal languages understood as distinguished fragments of first-order logic. Moreover, 
the modal language ML defined below has no propositional variable (like Hennessy-Milner 
modal logic [23j but unlike standard modal logic K [5j) and no label on modal operators 
(unlike in modal languages dedicated to describing labelled transition systems) . This allows 
us to interpret modal formulae on directed graphs of the form (Reach(A^), — ?>). However, in 
some places, we shall indicate when decidability or complexity results can be extended to 
richer versions of ML. The modal formulae in ML are defined by the grammar 

± \ T \ ^ip \ ip Alp \ \Jp I <)p I D^^p I 0^^^- 
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This language is not only poor compared to first-order logic, but also little expressive 
compared to other modal dialects. Yet, it is sometimes sufficiently expressive to obtain first 
undecidability results for model checking Petri net structures. Given a modal formula 99, its 
modal degree is the greatest number of nested occurrences of modal operators in ip. We write 
ML(n) to denote the restriction of ML to the modal operators □ and 0- We interpret modal 
formulae on directed graphs of the form (D, — ?>) for some Petri net = {P, T, F, Mq) with 

URG(A^) = {D,init, ^,=). We provide the definition of the satisfaction relation 

\= relatively to an arbitrary directed graph M. = {W, R) (and w S W). The clauses for 
Boolean connectives and logical constants are standard and we omit them. For the modal 
operators, we set 

★ A4,w \= □(/? 4^ for every w' (^W such that {w,w') G R, we have A4,w' \= (p. 
•k M,w \= there is w' eW such that {w,w') G R and M,w' \= (f. 

•k M-,w t= O^^if for every w' €^ W such that {w',w) G R, we have M.,w' \= (p. 

* M,w t= O^^f ^ there is w' eW such that {w',w) G R and M,w' \= ip. 

As usual, □ and as well as D"^ and are dual operators that can be defined one from 
another as soon as negation is part of the language. 

The model-checking problem MC^^*^(ML) is the following: 

input:: a Petri net N = (P, T, F, Mq) and a modal formula ip G ML. 
question:: {Reach{N) , ^) , Mq \= ip? 

Let MCU^^(ML(n)) denote MCU^^(ML) restricted to ML(n). Proposition ES] proves this 
model checking problem decidable. The procedure exploits the fact that a modal formula of 
modal degree d can only induce constraints on nodes at distance at most d from the initial 
marking, a standard argument, see e.g. [5j. 

Proposition 2.8. MC"^^(ML(n)) is decidable and PSp ACE- complete. 

Proof. Consider a Petri net N = {P, T, F, Mq) with URG(iV) = {D, init, A, ^, =). Let 
(/? be a modal formula in ML(n) with modal degree d (d is the greatest number of nested 
occurrences of modal operators in ip). We consider the directed graph A4 = {W,R) so that 

W C and R is the restriction of — )• to VF. 
•k For M G we set M G 4^ there is a sequence of transitions s of length at most d 

such that Mq{s)M. 

Observe that A4 is finite and the cardinal of W is at most exponential in the size of 
and d. One can show that M,Mo h ^ iff (-D,->),Mo N V- Hence, MCU^^(ML(n)) is 
decidable, because the model-checking problem for ML over finite structures is decidable 
(in polynomial time). The PSpace upper bound can be obtained with an algorithm similar 
to the one that shows CTL model-checking over 1-safe Petri nets to be in PSpace, see 
e.g. [I3l Section 4.2]. Our problem is actually simpler since we can restrict ourselves to the 
temporal operators AX and EX corresponding to □ and 0, respectively. We briefly describe 
below the nondeterministic algorithm MC{{P,T,F,MQ),ip) that returns true whenever 
{D, — >),Mo 1= (p. We proceed by a case analysis. 
(p = T return true; 

if = -!(/?': if MC{{P,T, F, Mq), if') then return false else return true; 
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Lp = (fi Aip2: if MC((P,r,F, Mo ),(/?! ) and MC{{P,T,F,Mo),ip2) then return true else 
return false; 

93 = Dip': if for some M' such that Mq 4 M' with t e T we have MC((P, T, F, M'),ip') = 
false then return false else return true. 

Note that the depth of recursive calls for AIC{{P,T, F, Mo),ip) is bounded by the modal 
degree of if and each call requires only polynomial space in the size of {P,T, F, Mq) and 
ip. Hence, MC{{P,T,F,Mq),lp) runs in nondeterministic polynomial space. By Savitch 
Theorem, we get the bound PSpace. 

To establish PSPACE-hardness, we give a reduction from QBF. Let Qipi • • • Q2nP2n V' 
be a QBF formula where Qi • • • Q2n is a sequence of quantifiers starting with Qi = 3, 
alternating strictly 3 and V, and ip is a quantifier-free prepositional formula built over 
the propositional variables in {pi, . . . ,p2n}- We consider a modal formula ip of the form 
(<)n)"^' where ip' is obtained from ip by replacing each propositional variable pi by 0*0 -L- 
Construct a Petri net N = {P,T, F, Mq) as follows. The set of places P contains a subset 
{pi, . . . ,P2n}, in bijection with the atomic propositions and initially empty, plus auxiliary 
places. From Mq, N executes first a sequence of 2n independent choices {t'l + 1'/) • + 1'.^) • 
. . . ■ {t'2n + t'in) where puts i tokens in place pi to represent the truth of the corresponding 
atomic proposition while t'l puts no tokens in pi to indicate the proposition does not hold. 
After this sequence of binary choices, executes a non-deterministic choice (xi + • • ■ + X2n) 
where Xi removes one token from pi and puts one token in a place p'^ which was initially 
empty. Each control place p[ is set in self-loop with a transition ti that removes at each 
firing one token from pi. 

Existential quantifications are replaced by 0, and universal ones by □. A path relative 
to a formula (OD)" then ends up in a configuration where truth values have been chosen 
for all variables. Note that the formula needs to be true for one continuation at each 
position and true for each continuation at □ positions. The last part of the formula needs 
to check the truth values of individual variables. For each pj, we have a formula 0*0 -L that 
is true only when there is precisely a path of length z, which corresponds to our encoding of 
truth values. The selection of each individual variable (and only one) is performed by the 

transition (xi H \-X2n)- Altogether, (Reach(A^), ->), Mq ^ (On)"'^'' iff QiPi ■■■ Q2nP2nV' 

is satisfiable. Note that Reach(A^) is finite. □ 

For simple models (like finite structures), adding D^"*^ to ML(n), often does not change 
the decidability status or the computational complexity of model checking, see e.g. [S]. 
When it comes to Petri net reachability graphs PURG(A^), adding the backward operator 

preserves decidability but at the cost of performing reachability checks. 

Proposition 2.9. MC"^^(ML(n, D-^)) is decidable. 

Proof. Consider a Petri net N = {P, T, F, Mq) with URG(A^) = {D^init, A, ^, =). Let 
iphe a modal formula in ML(n, □"!) of modal degree d. Define N = {P,T U T~^,F, Mq) 
where T~ is a set of formal inverses of the transitions in T, i.e., F{p,t-^) = F{t,p) and 
F{t~^,p) = F{p, t) for all t £ T. To model check URG(A^) against if, the idea is to consider 
a depth d unrolling of URG(A^). However, when following inverse transitions M'[t-'^)M, 
reachability checks are needed to guarantee the target marking M belongs to the domain D 
of structure URG(A^). These checks are effective by Theorem 12.11 quoted from [35 t [30 1 [3T]. 
More formally, we consider the directed graph M' = {W , R') defined by 
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* W' c: N-^ and R' is the restriction of to W'. 

* For M G we set M €W' ^ 

(a) M £D, 

(b) there is a sequence of transitions s G (T U T~^)* of length at most d such that 
Mo[s)M. 

Checking Mo[s)M is easy whereas M G D requires a reachabihty check. Observe that Ai' 
is finite and effectively constructible. The cardinal of W is exponential in d. One can show 
that M',Mo ^ iff (L>,->),Mo ^ if. Hence, MCU^'=^(ML(n, □-!)) is decidable, because 
model-checking ML over finite structures is a decidable problem that takes polynomial time. 

□ 

The best known decision procedures for Petri net reachability are non primitive re- 
cursive, which provides the worst possible and hopefully not tight upper bound to the 
complexity of the model-checking problem MC^^*^(ML(n, D"^)). Unfortunately, it might 
well be the case that this upper complexity bound is tight, for we shall (in turn) reduce 
Petri net reachability to the above model-checking problem in Section [3. 4[ 

We introduce another decision problem about ML that is closely related to first-order 
model-checking over reachability graphs. The validity problem VAL^^*~^(ML), also known 
as global model- checking, is stated as follows: 

input:: a Petri net N = {P,T, F, Mq) that induces the structure URG(A^) = 

{D, init, — >, — >, — >, =), and a modal formula E ML. 
question:: {D, — >), M |= ip for every marking M G D ? 

As observed earlier, formulae from ML(n,n~^) can be viewed as first-order formulae in 
F0(— >). Therefore, using modal languages in specifications is a way to consider fragments 
of F0(— >). Indeed, given a modal formula f in ML(n,n~^), one can compute in linear 
time a first-order formula (p' with only two individual variables (see e.g. [5]) that satisfies: 
for every Petri net we have PURG(A^) |= ip' iff PURG(A''), M \= ip for every marking M 
in Reach(A^). Hence, the validity problem VAL^^*^(ML) appears as a natural counterpart 
to the model-checking problem for FO over unlabelled reachability graphs of Petri nets. We 
will see in the next section that both problems are undecidable. 

We conclude the section by introducing an extension of ML that admits quantifier-free 
formulae from Presburger arithmetic as atomic propositions. The idea is to pose arithmeti- 
cal constraints on the numbers of tokens in places, and thus to increase the expressiveness 
of ML. We call this logic PAML and it will be mainly used in decidability results in Sec- 
tion [331 The domain of the structure for PAML needs to be of the form N'^. More precisely, 
with terms t ::= a x p \ t + t where p is a place and a € Z we define PAML from ML by 
adding atomic formulae '0 defined by 

^ ::= T I t<k \ t>k \ t =c k' \ '0 A V | 

Here, T is the truth constant, c G N \ {0, 1}, A; € Z and k' G N. The definition of 
(Reach (A^), M) \= ip depends on the definition of satisfaction of -0 in Presburger arithmetic 
by a tuple M. The details are as expected and we omit them here. It can be shown that 
MC^^^(PAML(n, D"^)) is decidable. The proof is similar to the proof of Proposition \T9\ 
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3. Structural Properties of Unlabelled Net Reachability Graphs 

We study the decidability status of model checking unlabelled reachability graphs of Petri 
nets against the first-order and modal logics defined in the previous section. Recall that the 
logics are designed to expressing purely graph-theoretical properties of reachability graphs. 



3.1. A proof schema for undecidability of F0(— >). To establish undecidability of 
MC^^'^(FO(— )•)), model checking reachability graphs against first-order specifications, we 
provide a reduction of the equality problem for reachability sets. For two Petri nets A^i 
and with identical sets of places, Hack proved it to be undecidable whether the sets 
of reachable markings Reach(A'^i) and Reach(A''2) coincide (Theorem 12.21 recalls this result 
from [H]). To encode the equality problem into a first-order model checking problem, we 
join A^i and N2 in a third Petri net N . The construction ensures that equality of the reach- 
ability sets can be checked with a first-order query: Reach(A^i) = Reach(A'^2) if and only 
if PURG(A^) \= ip. Interestingly, is a fixed formula and thus independent of the inputs 
A'^i and Before we turn to the technicalities, we sketch the idea of the construction 
and comment on why it yields so much expressiveness. With an initial guess, decides to 
simulate either A'^i or At any time, N may stop the simulation. Then N either starts 
behaving in different ways according to the initial choice between N\ and N2 ■ Alternatively, 
N may forget this choice and enter a deadlock marking M that reflects the last marking of 
N\ or A^2 in the simulation. 

The reachability sets of N\ and N2 are equal if and only if every simulation result M can 
be obtained from both, N\ and A2. But inspecting M in isolation does not reveal whether 
it stemmed from iVi or A2. The idea is in the different behaviours that recall the initial 
guess when the simulation ends. They yield a neighbourhood of M in the reachability graph 
of N that reveals the origin of the marking. Indeed, with finite experiments we can check 
whether M is found in the simulation of N\ or N2 ■ Equality of the reachability sets is then 
checked by a formula ip which requires that, for any simulation result M, both experiments 
witnessing for Ni and N2 succeed. The experiments consist of one backward transition and 
some forward transitions. Backward transitions reconstruct the initial choice, and forward 
transitions distinguish the nets Ni and A2. 

The strength of this construction stems from the combination of two ideas. A Petri 
net can (i) store choices over arbitrarily long histories and (ii) reveal this propagated infor- 
mation in local structures. These structures can be characterised by finite back and forth 
experiments that are expressed in terms of first-order formulae. 

Construction. The two nets Ni and A'^2 to be compared for equality of reachability sets share 
all places. The constructed net, N, has these places together with an initialization place p, 
two control places pi and p2, and additional places and that we will elaborate on 

below. The initialization place is the only place that is initially marked, by a single token. 

As transitions, N has the disjoint union of the transitions of Ni and A^2! plus additional 
transitions that we introduce now together with an explanation of their intended behaviour. 
The original transitions are put in self-loop with the respective control places. Furthermore, 
we have two concurrent transitions t^ , t^ that consume the initial token and mark either pi 
and all places marked in the initial configuration of Ni or p2 and all places marked in the 
initial configuration of N2. Firing t]. starts the simulation of Ai, and similar for t^. Each 
subnet Ai and A2 may be stopped at any time by firing transitions t],^^ and t^^^ that move 
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the token from the control place pi or p2 to the place p'l or p^, respectively. As a result, 
the token count on the places of A^i and N2 is not changed any more. 

When the transitions t],^^ and t^^^ have been fired, N behaves as indicated in Figure [3TT] 
below Ml and M2, respectively. At a marking Mi, place p'l enables a transition t\ which 
puts a token on p", depicted by in the figure. The place enables a transition tgi in 
self-loop. Furthermore, two transitions and t^^ (from Mi to and from M2 to M^) 
empty the places p'l and p^- The markings reached by these transitions are designed to be 
deadlocks. Moreover, by construction of A^, deadlock markings can only be reached this 
way (as M^ or Mr or both). Since, firing t\i or t\i lets N forget the index 1 or 2 of the net 
that was simulated, we have the following relationship. Whenever a marking M is reached 
both in A^i and A2, the corresponding markings in N lead to M^ = M^ 




Figure 3.1: Reachability graph of N 



A formula expressing equality of the reachability sets of A'^i and N2 (without recycling 
variables) is defined hereafter: 

^p = 'iT (^3z' z^z')=> (3zi zi ^ z A(/?/(zi)) A (3z2 zs ^ z A ^(/^/(za)) 

Formula (^;(x) =^ 3 y (x — ?• y A y — ?• y) indicates that x has a successor that has a 1-loop. 

Lemma 3.1. Reach(Ai) = Reach(A'2) if and only i/PURG(iV) ^ Lp. 

Proof. For the implication from left to right, consider a deadlock M. Marking M is reachable 
only via t^^ or t^^, say Mi\t\j)M. Then marking Mi satisfies ipi and stems from a marking 
M([tgj^^)Mi of Ni. The hypothesis on equal reachability sets yields a marking M2 of N2 
that leads by transition t^^^ to a marking M2 satisfying -193; as required. 

In turn, if ip holds we establish two inclusions. To show Reach(A^i) C Reach(A^2)) 
consider marking M[ reachable via sequence si in A^i. In A, the marking can be prolonged 
to a deadlock M with Ml^[tl) Ml[si) M[[tl^^) Mi[t\{) M . Here, Mi satisfies ipi. But yields 
another predecessor M2 of M with M2 7^ Mi. To avoid the 1-loop, marking M2 has to 
resuh from a sequence Ml^[tl)M^[s2)M!2[tl^^)M2[t\i)M . It is readily checked that M[ and 
MI2 coincide up to the token on the control place. Hence, M[ G Reach (A2) as required. □ 
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Corollary 3.2. MC (F0(— >)) is undecidable, already for the fixed formula ip given in 
this section. 

By recycling variables in ip above, we get a sharp result that marks the undecidability 
border of model checking against F0(— >) by two variables. Model checking F0(— >) restricted 
to one variable is decidable. 

Theorem 3.3. There exists a formula (p in F0(— >) with two individual variables such that 
MC^^*^(FO(— >)) restricted to ip is undecidable. 

Proof. It is sufficient to observe that formula (/? below 

Vz (^3z' z ^ z') ^ (3zi zi ^ z A <Pi{ti)) A (3z2 za ^ z A -(/^/(za)) 

with (/?i(x) =^ 3y (x — > y A y — > y) is logically equivalent to the formula 

Vz (-3z' z ^ z') ^ (3z' z' ^ z A ip\{z')) A (3z' z' ^ z A -^ip'i{z')) 

where f'i{z') =^ 3 z (z' ^> z A z — > z). Recycling of variables is explained e.g. in |15] . □ 

Moreover, combined with the fact that model checking first order logic for automatic 
structures is decidable. Theorem 13.31 leads to the following impossibility result. 

Corollary 3.4. There is no algorithm to construct an automatic graph isomorphic to the 
unlabelled reachability graph of a Petri net. 

Note that this negative result cannot follow directly from complexity-theoretic consider- 
ations. Indeed, even if the unlabelled reachability graph of a Petri net could be represented 
as an automatic graph, this automatic graph could not be used to decide on reachability 
of markings unless this representation were in effective bijection with N" (where n is the 
number of places). 

Restricted to a single variable, model checking F0(— )•) becomes decidable. 

Proposition 3.5. MC^^*^(FO(— >)) restricted to one individual variable is decidable. 

Proof. Every sentence in F0(— >■) restricted to one individual variable is logically equivalent 
either to _L, or to T, or to a positive Boolean formula with atomic formulae of one of the 
forms below: 

(1) 3x (x x) 

(2) 3x^(x->x) 

(3) Vx (x -> x) 

(4) Vx^(x->x). 

Since (2) is the negation of (3) and (1) is the negation of (4), decidability is obtained by 
evaluating (1) PURG(iV) ^ 3x (x -> x) and (3) PURG(iV) ^ Vx (x x). (1) can be checked 
by solving one instance of the covering problem for each neutral transition of the net whereas 
(3) can be checked by solving a single instance of the reachability problem. Indeed, let 
be the subset of transitions of the net that leave markings unchanged (neutral transitions). 
Then the set of markings specified hereafter is effectively semilinear: 

Z = {M : not M[t) for all t (£ Tq} 

We have not PURG(A^) |= V x (x — > x) iff there is a marking M G Z that is reachable, 
AIq A- M. With |21l Lemma 4.3] this reduces to an instance of the reachability problem. □ 
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It is possible to play further with parameters. For instance, our undecidability proof uses 
several reachability graphs with constant formulae. It is open whether there is a fixed Petri 
net reachability graph for which the model-checking problem for F0(— ?>) is undecidable. 

3.2. Robustness of the proof schema. Based on the previous proof schema, this section 
presents undecidability results for subproblems of MC^^'~^(FO(— )•)). More specifically, we 
consider the positive fragment, the forward fragment, the restriction when the direction of 
edges is omitted, and ML(n,n~^). For all these fragments, we establish undecidability of 
model checking. 

3.2.1. Forgetting orientation. Let A(x,x') =^ (x — > x') V (x' — > x). Expressing properties 
about PURG(A^) in FO(A) amounts to getting rid of the direction of edges of this graph. 
Despite this weakening, undecidability is still present for general Petri nets. To instan- 
tiate the above argumentation, we have to identify deadlock markings and analyse their 
environment. In FO(A), we augment markings encountered during the simulation by 3- 
cycles. Then, the absence of 3-cycles and an environment without such cycles characterises 
deadlock markings. 

Proposition 3.6. MC^^'^(FO(A)) is undecidable. 

Proof. We take advantage of the fact that FO(A) can express that a node x belongs to an 
undirected cycle of length three. A possible formula is: 

3cycle{x) = 3y3z (A(x, y) A A(y, z) A A(z, x)) A -(A(x, x) V A(y, y) V A(z, z)) 

Now consider two Petri nets A'^i and with identical sets of places. For 1 < i < 3, add to 
each net new places pi and transitions ti such that pi contains initially one token, while p2 
and ps are empty. Transition ti takes one token from pi and puts one token in pi^i mod 3- 
The resulting Petri nets have identical reachability sets if and only if A^i and have 
identical reachability sets. Therefore, equality of reachability sets is undecidable for nets in 
which every reachable marking belongs to some cycle of length three. Assuming that A^i 
and N2 have this property, let N be the net constructed from A^i and as in the proof of 
Proposition 13.31 (see also Figure [3Tj. We can assume without loss of generality that every 
transition of Ni and changes the current marking (the other transitions do not affect 
the reachability sets and can be removed). As a consequence, the reachability graphs of 
the augmented nets A^i and have no 1-loops, which is required for the effectiveness of 
3cycle{x). The deadlock markings of N are then exactly the markings that have no cycle 
of length one or three and that are surrounded by nodes without cycles of length three: 

(iead(z) =^ -iA(z, z) A -i3cycZe(z) A Vx A(z, x) -i3cyc/e(x). 
Equality of the reachability sets of A'^i and is then expressed by the formula ip below 
Vz dead{z) =^ (3zi A(z, zi) A ipi{zi)) A (3z2 A(z, za) A -^^i{z2)) 

where ipi{z) = 3y A(z,y) A A(y,y). We have Reach(A^i) = Reach(iV2) iff iV ^ By 
Theorem [221 MCUi^^(FO(A)) is undecidable. □ 
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3.2.2. A well-known first- order fragment: ML(n,n ^). To establish undecidability of the 
problem VALURG(ML(n, □-!)), we again provide a reduction from the equality problem 
for Petri net reachability sets. 

Proposition 3.7. VALU^'^(ML(n, n"^)) is undecidable. 

Proof. Consider two Petri nets A^i and with identical sets of places. We rely on the 
construction of N in Section 13.11 but give a modal formula (independent of A^i and 
A''2) that yields the following equivalence: A'^i and have the same reachability set iff 
PURG(A^),M \= (p for every marking M in Reach(A'^). For all deadlocks, there is one 
predecessor (from A'^i) that is able to do two more steps and another predecessor (from A''2) 

that is not: =^ □ _L (0~^00T A ""^Dn Formula (p is semantically equivalent to 
the first-order formula <pfo defined below: 

Vz (^3z' z ^ z') ^ (3zi, Z2, Z3 (zi -> z) A (zi -> Zs) A (zs -> Zg)) A 

(3zi (Zi -> z) A VZ2, Z3 ^((Zi -> Za) A (Z2 -> Zg))). □ 

This undecidability result is tight. In Section [3. 3. 2| we establish decidability of an extended 
variant of VAL^^'~^(ML(n)) where the backward modality D"^ is excluded. Moreover, by 
translating formulae in ML(n, D"^) to F0(— >) restricted to two individual variables, we get 
another evidence that MC^^^(FO(^)) restricted to two individual variables is undecidable. 



3.2.3. F0(— >) restricted to positive or forward formulae. Although VAL^^*^ (ML (□, □ ^)) 
and MCURG(FO(->)) are undecidable in general, we have identified decidable fragments 
of modal logic in Section 12.41 By analogy, one may expect to find decidability of related 
fragments of first-order logic. We prove here that this is not the case. We consider forward 
F0(— )•) and positive F0(— >) and show that their model checking problems are undecidable. 
In a positive formula, atomic propositions occur only under the scope of an even number of 
negations. Let FO^(P) denote the set of positive first order formulae over predicates in P. 

Proposition 3.8. MC^^'^(FO+(->)) is undecidable. 

Proof. We rely on the previously introduced proof schema. Let A^i and N2 be two Petri 
nets and N their combination sketched in Figure [3TTJ We propose a positive formula ip so 
that inclusion Reach(7V2) C Reach(iVi) holds if and only if PURG(iV) ^ (p: 

99 = Vz 3zi 3y^ 3z' (z -> z) V ((zi -> z) A (zi -> y^) A (y^ y^)) 

The formula considers an arbitrary marking M. If M is no deadlock, nothing is required 
by (p. If M is a deadlock, then (p asks for vertices M\ and M,^ so that Mi is a common 
direct ancestor of M and and moreover has a 1-loop. 

By construction of A^, formula ip is satisfied if and only if every deadlock marking 
M reachable in N (in particular, a simulation of N2) can be reached in A'^i. This means 
Reach(A'2) C Reach(A^i). □ 
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Open problem 1 . Decidability status of MCU^^(FO+(A)). O 

A forward formula is a formula in which every occurrence x — > y is in the scope of a quantifier 
sequence of the form Qi x . . . Q2 y where x is bound before y. Let FOy (P) denote the set of 
forward formulae over predicates in P. 

Proposition 3.9. MC"^^(FO/(->)) is undecidable. 

Proof. We again reduce the equality problem for reachability sets of two Petri nets A'^i and 
A^2- Let N be the net presented in Figure IHTTl We propose a forward formula ip so that 
Reach(7V2) = Reach(A^i) if and only if PURG(iV) ^ ip: 

(f =^ Vz2 3zi Vz 3 Yi 3z (z2 z) ^ ((z -> z') V ^(21, Z2, z, y^)) 

V'(zi,Z2,z,y^) "^"^ (zi H> z) A (y£ y^) A ((zi -> y^) <^ -.(z2 -> y^)) 
Forward formulae make it harder to quantify over deadlock markings M. Before presenting 
how formula ip enables the reduction, a short comment on quantification: this formula 
intends to quantify over z, but the forward constraint imposes first to quantify over Z2, then 
on zi, and only afterwards on z. This is not a problem since, once Z2 is fixed, variable zi may 
be fixed, and then z may be chosen. The idea of ip is to capture the situation in Figure \37L\ 
potentially with the roles of Mi and M2 swapped. In detail, the formula considers an 
arbitrary marking M2, a corresponding marking Mi (if it exists), and an arbitrary marking 
M. If M2 and M are not connected, then ip requires nothing. If M2 and M are connected 
and M is no deadlock, there are also no requirements. Otherwise M2 and M are connected 
and M is a deadlock. In this case, there must be a marking Mq (valuation for y^) so that 
formula ^ is true for (Mi, M2, M, M^). The formula ^ checks that deadlock M is reachable 
in both Ni and N2, see FigureEH Thus, Reach(iVi) = Reach(iV2) iff PURG(]V) \= p. This 
proves the claimed undecidability. □ 

Open problem 2. Decidability status of MCUi^^(F0/(4)). O 

While forward formulae can well identify the deadlock markings used in the proof 
schema, the difficulty is in the description of the local environment witnessing the simulation 
results. 

3.3. Taming undecidability with fragments. In this section, we present the restrictions 
of F0(— >) that we found to have decidable model checking or validity problems. 

3.3.1. Existential fragment. Our undecidability results follow a common principle, namely 
identifying a local pattern in the reachability graph that characterizes an undecidable 
property. The pattern may depend on the specification language. Below, we state a re- 
sult that, at first glance, might seem to contradict the previous findings: decidability of 
MC^^'^(FO(— )■)) restricted to the existential fragment. This decidability, however, simply 
implies that universal quantification is needed to characterize undecidable properties by 
local patterns. We write 3F0 for the fragment of FO consisting of those formulae that use 
only existential quantification when written in prenex normal form. 

Proposition 3.10. MCU^^(3F0(->, =)) is decidable. 

Proof. Let = {P,T, F, Mq) be a Petri net with reachability set Reach(A) and |P| = n. 
Decidability follows from two crucial properties: 
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(1) Given a Presburger formula (/?(xi, . . . , Xq,) with nx a free variables such that each Xj is a 
sequence of n distinct variables interpreted as a marking of N, one can decide whether 
<p{Mi, . . . , Ma) holds true for some (not necessarily distinct) markings Mi, . . . , Mq, in 
Reach(A^). Proposition 12.31 corresponds to the case a = 1. 

(2) One can effectively construct a quantifier- free Presburger formula (/3_^(xi,X2) so that 
for all markings Mi,M2, formula <p^{Mi, M2) holds iff Mi[t)M2 for some t £T. 

Before we turn to the proofs of (1) and (2), we explain how these results yield decidability 
of MC^^*~^(3F0(— >, =)). Consider ip = 3 xi, . . . ,Xa ip' where ip' is a quantifier-free formula 
with atomic propositions of the form Xj — > Xj and Xj = Xj. With (2), one constructs 
a quantifier-free Presburger formula ^(xi, . . . ,Xq,) so that for all markings Mi, . . . , Mq, in 
Reach(iV), formula (/?(Mi, . . . , M„) holds true iff PURG(iV),v ^ -0' where v(xj) = Mj 
for 1 < i < a. By (1), it is decidable whether (/^(Mi, . . . , Mq) holds for some markings 
Ml, . . . , Ma G Reach(A^). This is equivalent to URG(iV) ^ tp. 

It remains to prove (1) and (2). The formula (/5_^(xi,X2) for statement (2) encodes the 
definition of enabledness and firing for transitions, M[t)M': 

\/i/\Mp)> Fip,t)) A{/\x2{p)= xiip) - F{p,t) + F{t,p)). 
teT peP peP 

For statement (1), we adapt the proof of Proposition 12.31 We construct a Petri net A^' 
that simulates a copies of A^. Technically, A^' is defined as the disjoint union of a instances 
of N. The initial marking of A^' is a times Mq. For all markings Mi, . . . , M^ we now have 
the following equivalence: the markings are reachable in A^ and satisfy V'(Mi, . . . ,Ma) iff 
(Ml, . . . , Ma) is a possible simulation result in A^' and ^^(Mi, . . . , M^) holds. An application 
of Proposition 12.31 on A^' and ip yields the desired decidability result. □ 

Again, decidability is preserved with Presburger-definable properties on markings and 
with labelled transition relations of the form 

Corollary 3.11. MC^^'^(FO(— ?>, =)) restricted to Boolean combinations of existential for- 
mulae is decidable. 

Consequently, the following subgraph isomorphism problem is decidable too: 

input: a finite directed graph Q = (V, E) and a Petri net A^. 
question: is there a subgraph of (Reach(A^), — )•) isomorphic to Ql 

Open problem 3. Decidability status of MCURG(3fO(A)) and MCU^^(3F0(A, ->)). Q 



3.3.2. ML(n) with arithmetical constraints. Section[3X2]proves that VAL™'^(ML(n, n-i)) 
is undecidable. To our surprise, and in contrast to the negative result on model checking 
the forward fragment of FO, this undecidability depends on the backward modality. The 
following Proposition 13.121 shows decidability of the validity problem for ML(n), even in 
the presence of arithmetical constraints at the atomic level. 

Proposition 3.12. The validity problem VALU^*-^(PAML(n)) is decidable. 

Proof. Let A^ be a Petri net, and 99 a formula in PAML(n). According to Lemma 13.131 
stated hereafter, the set of markings satisfying -199 is effectively semilinear. Let X^^p be this 
set. Proving validity of (/? amounts to checking that no element of X^^p is reachable in A^. 
This is decidable from Proposition 12.31 □ 
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Lemma 3.13. Given a Petri net N with n places and a formula ip in PAML(n), the set 
of markings in N" satisfying (f in UG(A^) is effectively semilinear. 

Proof. We proceed by induction on the structure of ip, using the fact that semilinear sets 
are (effectively) closed under Boolean operations and the fact that, if X is semilinear, then 
pre{X) = {M e N"" : 3 M' e X, M -> M'} is effectively semilinear too. The latter set 
pre{X) contains all markings with a successor marking in X. 

Each atomic formula is a quantifier-free Presburger formula, and as such, defines a 
semilinear set. Throughout the induction on the structure of (p, formulae with outermost 
Boolean connectives are treated in the obvious way by applying Boolean operations on 
semilinear sets. Eventually one has to prove that Oip defines a semilinear set whenever ip 
does. Using the induction hypothesis, let X^ be the semilinear set of markings satisfying 
tp. The set satisfying is then equal to \pre(N"' \X^), which is effectively semilinear. 
This concludes the induction, and the proof. □ 

This decidability result can be extended by allowing labels on edges (transitions). 



3.4. On the hardness of decidable problems. Some of our decision procedures call 
subroutines for checking reachability in Petri nets, even though the reachability problem is 
not known to be primitive recursive. We provide here some complexity-theoretic justifica- 
tion for these costly invocations: we reduce the reachability problem for Petri nets to the 
decidable problems MCU^'^(ML(n, D"^)) and MCU^^(3F0(->)). Besides reachability, we 
proposed decision procedures that exploit the effective semilinearity of reachability sets or 
relations (see e.g. Proposition 12. 7p . The next proposition shows that, already for bounded 
Petri nets, MC^^^(FO(->)) is of high complexity. 

Proposition 3.14. MC^^^(FO(— >)) restricted to bounded Petri nets is decidable but this 
problem has nonprimitive recursive complexity. 

Proof. We perform a reduction from the finite containment problem for Petri nets, known 
to have nonprimitive recursive complexity [36j. Let A'^i and N2 be two bounded Petri nets 
with identical sets of places, and construct N as in Section [3.11 This net is bounded. The 
formula (p in F0(— >) that checks inclusion is derived from the formula in Section [3.11 

Vz (^3z' Z ^ z') ^ (3Z2 Z2 ^ z A ^p>i{z2)) 

where tpi{x) =^ 3y (x — > y A y — > y). The construction guarantees Reach(A''i) C Reach(A''2) 
iff URG(A^) \= ip. Indeed, a deadlock is either reachable from or from A'^i. But to satisfy 
the formula, if the deadlock is reachable from A'^i it also has to be reachable from N2 . Note 
that the formula 99 is again independent of A^i and CH 

We have seen that VAL'^^^(ML(n) is decidable by reduction to the reachability prob- 
lem for Petri nets (see Proposition I3.12p . Below, we state that there is a reduction in the 
reverse direction, from non- reachability to VALURG(]viL(n). 

Proposition 3.15. There is a logarithmic- space reduction from the non-reachability prob- 
lem for Petri nets to \Kiy^'^{ML{U)). 

Proof. Without any loss of generality, we can assume that the non-reachability problem 
is restricted to the target marking () (no place has any token). Consider the Petri net 
A'" = (P, r, F, Mq) where we assume w.l.o.g. that every transition has a place in its preset. 
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Figure 3.2: Reachability graph in the hardness proof of ML(n, □ ^)-model checking 

We build a variant Petri net N' from N by adding a new transition tp for every place p € P. 
The new transitions are put in self-loop with their places, F'{p,tp) = 1 = F'{tp,p) and 
F'{p' ,tp) = = F'{tp,p') for all p' G P with p' ^ p. Intuitively, tp witness for the presence 
of tokens on p by the existence of at least one transition from M in the reachability graph. 
As a result, ^ Reach(A^) iff for every marking M € Reach(A^'), some transition can be 
fired: (D,— >),M \= OT. Note that our reduction uses a constant formula. □ 

Proposition 3.16. There is a logarithmic- space reduction from the reachability problem 
for Petri nets to MCU^^(ML(n, D^i)). 

Proof. We reduce reachability of marking M2 from marking Mi in a Petri net to an 
instance of MC^^*^(ML(n, D"^)) for a larger net N. The idea is to introduce a marking 
(see Figure 13. 2p such that the existence of a path to M^, of length greater than 1 is a 
witness for the existence of some path from Mi to M2 in PURG(A^). To reach M^ by an ML 
formula, we place it close to the new initial marking. We sketch the argumentation. The 
initial marking Mq of contains a single marked place pi for which two transitions tfry and 
to compete. Transition ttry moves the unique token from pi to another place pu, and thus 
produces the marking where no other place is marked. Transition to loads Mi in the 
places of A^ and moves the control token from pi to another control place Pc set in self-loop 
with all transitions of N. This starts the simulation of A^ from Mi. The simulation may 
get stuck or proceed forever, or it may be interrupted whenever it reaches a marking of A^ 
greater than or equal to M2. Then, transition tstop consumes M2 from the places of A^ and 
moves the control token from pc to a place p^,/ . The control token is finally moved from p^/ 
to pw by firing twin- is reached, after firing tstoptwin, iff M2 is reached. Therefore M2 
is reachable from Mi iff is reachable from Mi (its restriction to the places of A^ is Mi). 
This is equivalent to stating that M^ has a predecessor different from Mq. The shape of 
the reachability graph allows us to formulate the latter as a local property in ML(n, □~"'^): 

^ := 0(n± A O-'O-'T). 

Without loss of generality, we can assume that Afi is no deadlock and M2 7^ Mi. Formula 
99 requires that Mq has a deadlock successor which has an incoming path of length two. 
That the successor is a deadlock means it is not Mi but M^, obtained by firing ttry The 
path from Mq to M^, is of length one and Mq has no predecessor. So the path of length 
two to Mw is not via ttry but stems from t^^. This means M^ is reachable from Mi, which 
means M2 is reachable from Mi in A^. □ 

The proof of Proposition 13.16] can be adapted to 3F0(— >) for which we also have shown 
decidability of model-checking by reduction to the reachability problem for Petri nets. 

Proposition 3.17. There is a logarithmic-space reduction from the reachability problem 
for Petri nets to MC^^^(3F0(— ?>)) restricted to a single variable. 
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Proof. Among any two of the following problems, there is a logarithmic-space reduction: 

(1) the reachability problem for Petri nets; 

(2) the reachability problem for Petri nets restricted to instances such that the target 
marking M is equal to 0; 

(3) the following variant of the reachability problem: 

input: a Petri net = (P, T, F, Mq) with no neutral transitions and a place p (z P. 

question: Is there a marking M with M{p) = such that M € Reach(A^)? 
To show that (3) is as hard as reachability, the idea is to introduce a budget place that 
maintains the sum of tokens in all other places. Prom an instance of problem (3), let us 
build in instance of MC^^*-'(3F0(->)) restricted to a single variable. We build a Petri net 
N' from N and p E P by simply adding a neutral transition (the unique one in N') that is 
in self-loop with p. One can then easily show that there is a marking M G Reach(A'^) with 
M(p) = ifrPURG(iV') N 3x -(x->x). □ 



4. FO WITH Reachability Predicates 

In this section, we consider several first-order languages with reachability relations — ?• or — )■, 
mainly without the one-step relation — )•. Undecidability of these dialects does not directly 
follow from Theorem 13.31 since we may exclude — t-. Nonetheless we follow the same proof 
schema. Besides, we distinguish the case when reachability sets are semilinear leading to 
a surprising undecidability result (Proposition I4.5| l. Finally, we show that model-checking 
unlabelled graphs with F0(— >, —¥) is undecidable too. 

4.1. FO with reachability relations. Let us see why the model checking problem for 
both the strict and the non-strict reachability relation is undecidable. 

4.1.1. Undecidability of MC^^^{¥0{^)). The decidability status of MCU^'=^(F0(-4)) is 
not directly dependent upon the decidability status of MCU^'^(F0(->)). Stih we are able 

to adapt the construction of Section [3.11 but using now a formula ip in FO(^). The Petri 
net is the one depicted on Figure [3Tl The formula is defined as follows: 

=W Z dl{z) =^ (3 Zi (Zi ^ z) A (fieftizi)) a (3 Z2 (Z2 ^ z) A ipright{^2)) 

where 

* dl{z) = -3z'zi>z', 

* s/(y) =^ y ^ y A Vw [y ^ w =^ w ^ y], 

* y,l,ft{z) [3 y z ^ y A s/(y)] A [Vy z 4 y ^ {sl{y) V dl{y))], 
-k (frightiz.) =^ [3y z y A Vy z ^ y => dl{y)]. 

Lemma 4.1. Reach(Ari) = Reach(Af2) iffP\JRG(N) ^ ^p. 

Proof. The principles presented in the proof of Lemma 13.11 apply here. Below, we refer to 
markings as they are depicted in Figure 13.11 

First, observe that none of the formulae dl{z), sl{y),ipieft{^) nor (prighti^) may be sat- 
isfied at a marking reached in course of simulating the original Petri nets A^i or A^2: the 
formula dl{z), which asserts the absence of a successor, is always false on such markings 
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whereas the formula sl{y), requiring that one can always come back to y, is false at such 
markings since the transitions t^^^ and t^^^ cannot be undone. Furthermore, neither dl 
nor si is satisfied by the markings Mi or M2. Hence, formulae (/9/e/f(z) and ^righti^) ^ire 
not satisfied by any marking z reached in the course of simulating A^i or any such 
marking has at least one successor of the type Mi or M2, thus invalidating the subformulae 
Vy z ^ y =^ {sI{y) V dl{y)) and Vy z ^ y =^ dl{y). 

Now, it is straightforward to verify the following facts: 
★ dl{z) is satisfied precisely at markings Mr and Mf, 
•k s/(y) is satisfied precisely at marking M^; 

•k ipieft and fright are satisfied respectively at markings Mi and M2. 

The formula (p may be written Vz ip'{z) with ip'{z) of the form dl{z) ip{z). Formula (p'{z) 
is true whenever z evaluates to a non-deadlock marking. Otherwise, when z is a deadlock, 
validity of ip requires that it has two distinct predecessors zi and Z2 of the types Mi and M2, 
entailing the equality of the reachability sets of A^i and N2 ■ Conversely, if both reachability 
sets are equal, then all markings of A^i and ^^^^2 are connected as described in Figure 13. H 
entailing the validity of ip in N. □ 

Corollary 4.2. MC^^^(FO(-^)) is undecidable. Furthermore this results holds for the 
fixed formula ip defined earlier. 

4.1.2. Undecidability 0/ MCU^^(FO(A)). For showing undecidability of MCU^^(FO(A)), 
we have to adapt our usual proof schema since, in FO(A), we are no longer able to identify 
1-loops as we did in FO(^). The new schema is illustrated in Figure HTl 

Proposition 4.3. MCU^'^(FO(A)) is undecidable. 




Figure 4.1: Petri net adapted for F0(— >) 

Proof. From two Petri nets A'^i and A'^2; we construct the Petri net N depicted in Figure [4Tl 
We define the following formulae: 

•k dl{z) =^ Vw z A w w A- z, 

-k predl{z) =^ -^dl{z) A (Vw(z A w A -iw A- z) =^=- dl{w)). 
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Thus in Figure 14.11 the markings Mr and Mi satisfy dl, and the markings Mi and M2 
satisfy predl, but no other marking satisfies these predicates. 
The formula ip is defined as fohows: 

(f =^ Vz {dl{z) =^ 3zi, Z2 (zi A z A predl{zi) A Z2 A- z A predl{z2) A -izi A- Z2)) 

Observe that -izi A Z2 ensures that zi and Z2 have distinct interpretations. By construction, 
Reach(iVi) = Reach(A^2) iff PURG(iV) ^99. □ 

Even though MC^*-^(FO(— >, =)) is decidable (see Proposition 12. 5p . replacing — )• by A 
and adding init leads to undecidability. 

Corollary 4.4. MC^*^(FO(mit, A)) is undecidable. 

Indeed, MCU^^(FO(A)) reduces to MC^^{FO{imt, A)) by relativization: URG(iV) ^ 
ip iff UG(A^) 1= 3xo init{x()) A f{(p) where (p and f{<p) are in FO(A), / is homomorphic for 
Boolean connectives and /(Vx V') =Wx (xq A- x) ^ /(V')- 

Open problem 4. Decidability status of MCUG(fO(A)). O 



4.2. When semilinearity enters into the play. We saw that MC (FO(— )•,=)) re- 
stricted to Petri nets with effectively semilinear reachability sets is decidable, using a transla- 
tion into Presburger arithmetic (see Proposition [2]7]). This section is devoted to discovering 
what happens when the relation A is added. We establish that MC^^*^(FO(— >, A)) re- 
stricted to Petri nets with semilinear reachability sets is undecidable, by a reduction from 
MC^^'^(FO(— >■)). Given a Petri net and a sentence (p G F0(— >), we reduce the truth of 
ip in PURG(A^) to the truth of a formula Tp in PURG(A^) where N is an augmented Petri 
net with a semilinear reachability set. The Petri net N is defined from N by adding the 
new places po, pi and p2', each transition from N is in self- loop with pi. Moreover, we add 
a new set of transitions in self- loop with p2 , each of which adds tokens to or removes tokens 
from a corresponding (original) place of (thus modifying its contents arbitrarily). These 
transitions form a subnet denoted by Br. Three other transitions are added; see Figure 1412) 
for a schematic representation of N (the initial marking Mq of N restricted to places in N 
is Mq, while Mq(po) = Mq{pi) = 1 and Mg(p2) = 0). Our intention is to force Reach(A^) 
to be semilinear while staying able to identify a subset from Reach (A'") in bijection with 
Reach(A^); this is a way to drown Reach(A^) into Reach(A^). Indeed, Reach(A/^) contains 
all markings such that the sum of pi and p2 is 1 and pq is at most 1. Nevertheless, if 
the transition t is fired first, then the subsequently reachable markings are exactly those of 
N (except that pi contains one token); PURG(A^) embeds isomorphically into PURG(A'^). 
Until t is fired, one may always come back to Mq, using the brownian subnet Br, but this 
is impossible afterwards. 

Proposition 4.5. MC^^'^(FO(— >, A)) restricted to Petri nets with semilinear reachability 
sets is undecidable. 

Proof. In a first stage, we use init although this predicate cannot be expressed in F0(— >, A). 
Let Ip be the formula 3 xq xi mit(xo) Axq — > xi A-i(xi A xq) A/((/?) where /(•) is homomorphic 
for Boolean connectives and /(Vx ip) '= Vx (xi A x) => /(V') (relativization). In ip, xq is 
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Shared places 



Figure 4.2: Petri net N 

interpreted as the initial marking Mq, and xi is interpreted as a successor of xq from which xq 
cannot be reached again. This may only happen by firing t from Mq . Now the relativization 
of every other variable to xi in Tp ensures that PURG(A^) ^ iff PURG(A^) \= ^. To remove 
init, we construct a Petri net very similar to N. N has an extra place p'q, initially marked 
with one token, and a new transition that consumes this token and produces two tokens in 
Pq and pi, which were initially empty. By construction, the initial marking of N is the sole 
marking in PURG(A^ ) with no incoming edge and one outgoing edge. With this modified 
net, we use the modified formula Tp' as follows: 

3 Xq Xq Xi (-.3 y y -> Xg) A Xg -> xq A xq xi A (-.xi A xq) A f{ip) 

For the same reasons as above, PURG(iV) ^ 99 iff PURG(iW) \=^. □ 

Open problem 5. Decidability status of MC^^^(FO(A)) restricted to Petri nets with semi- 
linear reachability sets. O 

4.3. The reachability relation and structure UG(A^). Corollary 14.41 has stated a first 
undecidability result for the structure UG(A^). In this section, we examine two other situa- 
tions where it is an undecidable problem to model-check formulas of F0(— ?>, in UG(A^). 

Proposition 4.6. MC^'^(FO(->, 4)) is undecidable. 




Pf. new place in self-loop with 
each transition of N. 

For each place pi in N, there 
is a transition ti in self-loop 
with it. 



Figure 4.3: Petri net N 
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Proof. We reduce MCU^^(FO(A)) to MCU^(FO(->, 4)). Given a net iV = {P,T,F,Mo) 
and a formula ip in FO(A-), we construct and ip' such that URG(A^) \= ip iS UG(A^) \= if'. 
Figure presents some key elements for the construction of A^. 

First, let N' = {P' ,T' , F' , M'^) be the Petri net defined with P' = P u {pi}, T' = 
T\J {ti \ Pi £ P'}, for ah in P x T, F'{p,t) = F{p,t) and F'{t,p) = F{t,p), for 

all Pi G P',F{pi,ti) = F{ti,pi) = 1, for all t G T,F{t,pi) = F{pe,t) = 1, for all p £ P, 
Mq{p) = Mq{p), and Mq{p£) = 1. Restricted to places in P (all places but p^), the reachable 
markings of N' coincide with those of N. By construction, p^ contains always a single token. 
In URG(A^'), every marking has a 1-loop. Similarly, every marking of N' in which some 
place is positive possesses a 1-loop in the graph UG{N'). The tuple (0,0,... ,0), on the 
other hand, enables no transition (the empty place pi inhibits every transition). 

Now, we construct from A^'. A^ has the same places and transitions as A^', plus an 
extra place po and two extra transitions te and to- Transition te removes tokens from po, 
one at a time. Transition consumes one token from pq and produces Mq in the places of 
A^'. The initial marking Mq of A^ has a single token in place pq. 

We claim the following: 

•k The reachable graph of A'^ is identical to the reachable graph of A^, up to the first transition 

and up to the 1-loops which have no influence on formulas in FO(A-). 
•k There is a formula ^Pinitix) G F0(— >, A) which is satisfied in UG(A^) only at Mq. 

Assuming these claims, validity of a formula in FO(A) with respect to URG(A^) may 
be reduced to the validity of a formula of F0(^, A-) with respect to UG(A^), using a similar 
technique as in the proof of Corollary 14.41 For this purpose, we should relativize the given 
formula in FO(A) to the vertices of UG(A^) that may be reached from the marking Mq 
defined by Mo[to)Afo'- This can actually be done in F0(— >, A), because Mq is the sole 
marking of A^ that satisfies the formula 3y (pinitiy) Ay— >xAx— >x. Therefore, to complete 
the proof of the proposition, it suffices to establish the two claims made above. 

Now, the first claim derives immediately from the construction of A^. The second claim 
may be established by setting: 

9'mit(x) "^"^ (-. X -> x) A (3yVz x y A ^{y z)) 

This formula contains a subformula (-i x — > x) that expresses the absence of a 1-loop, thus 
V'init(x) niay only be satisfied in markings with all places p € P' empty. But (-■ x — > x) 
may be satisfied in a marking x with an arbitrary number of tokens in pQ. Now consider 
markings with all places in P' empty, and an arbitrary number of tokens in pQ . Three cases 
must be considered. First, suppose that pq contains a single token (i.e., x is interpreted by 
Mq), then (3yVz x — )• y A -i(y — )• z)) is satisfied: x has a successor y (reached by firing t^) 
which is a deadlock. Second, if po is empty, then the marking x has no successor at all. If po 
contains at least two tokens, then no successor of x is a deadlock: every marking reached by 
to has a 1-loop and te can be executed at least twice. Putting everything together, the only 
tuple in N" satisfying ipinit{x), is the marking Mq = (1,0, .. . ,0), establishing the second 
claim. 

□ 

Proposition 14.61 holds even when the reachability set of the net is effectively semilinear. 

Proposition 4.7. MC^*~^(FO(— >, A-)) is undecidable for the subclass of Petri nets with an 
effective semilinear reachability set. 
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Proof. We pile up (adaptations of) the proofs of Propositions 14.3 1 14.51 and 14.61 

Given arbitrary two nets A^i and A'2 without neutral transitions , let N3 denote the net 
A'^ constructed from A^i and like in the proof of Proposition 14.31 and let M3 denote the 
initial marking of this net. By the proof of Proposition 14.31 Reach(A'^i) = Reach(A''2) if and 
only if PURG(iV3) ^ cp, where: 

ip =^ Vz {dl{z) 3zi, Z2 (zi A- z A predl{zi) A Z2 A z A predl{z2) A ->zi A Z2 A -1Z2 zi)), 

dl{z) =^ Vw z A w =^ w A z, 

predl{z) =^ ^dl{z) A (Vw)(z A w A -iw A z) ^ dl{vj). 

Let PURG(5(A''3) be the extended reachability graph obtained from PURG(A'^3) by adding 
a 1-loop in every marking. Then clearly, PURG(A'^3) |= if and only if PURG(3(A'^3) |= ip. 
By Hack's result, PURGo(A'^3) \= \s undecidable from the input {A^'i, A''2}. 

Now put A'" = A^3 in the net shown in Figure W?2\ Denote the resulting net N by A'4, 
and let M4 be its initial marking. By construction, iV4 has a semilinear reachability set. 
Moreover, if we put: 

0(x, y) =^ imt(x) A X — > y A -i(y A x), 
then, in PURG(A'^4), this statement holds exclusively for x interpreted by M4 and y inter- 
preted by M3 + {pi}. Let PURGo(A'4) be the extended reachability graph obtained from 
PURG(A'^4) by adding a 1-loop in every marking. Then clearly, in PURG(3(A'4), 0(x, y) holds 
exclusively for x interpreted by M4 and y interpreted by M3 + {pi\. 

Finally put A'^ = A'4 in the net shown in Figure 1131 Denote the resulting net by A^s, 
and let M5 be its initial marking. Thus, A^s has a semilinear reachability set. As was shown 
in the proof of Proposition 14.61 if Put: 

Vimt(x) =''(-. x ^> x) A (3yVz x -> y A ^(y -> z)), 
then, in UG(A'^5), ipinit{x-) holds exclusively for x interpreted by M5. Therefore, if we put: 

^mit(x) = 3y ipinitiy) Ay-^xAx^x, 

then, in UG(A''5), il'initi?^) holds exclusively for x interpreted by M4 + {p^}. The subgraph of 
UG(A^5) reachable from the marking Mii + {p(} is isomorphic to PURG(j(A^4). Therefore, in 
UG(A''5), ■ipiniti')'-) /\'x- yA-'(y A x) holds for x,y if and only if x is interpreted by M^ + lpi} 
and y is interpreted by M3 + {pi} + {pe}- The subgraph of UG(A'^5) reachable from the 
marking M3 -|- {pi} + {pi} is isomorphic to PURGo(A^3). Therefore, PURGo(A''3) \= ip if 
and only if UG(A^5) \= Tp where Tp is the formula: 

3 Xo Xi V'mit(xo) A Xo -> Xi A -.(xi A Xo) A f{ip) 

where /(■) is homomorphic for Boolean connectives and /(Vx ^/^) '= Vx (xi A x) =^ /(^) 
(relativization) . As a consequence, UG(A''5) ^ ^ is undecidable from the input {A''i, A''2}. 

□ 
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Table 1: Summary (f: equivalent to Petri nets (non) reachability problem) 



In this section we have examined several first-order sublanguages involving the reach- 
ability predicate. We obtained undecidability results, even when the reachable markings 
form a semilinear set, and even when the global structure UG(A^) is considered instead of 
URG(A^). 

5. Concluding Remarks 

We investigated mainly the model-checking problem over unlabelled reachability graphs 
of Petri nets with the first-order language F0(— t-) (no label on transitions, no property 
on markings). The robustness of our main undecidability proof has been tested against 
standard fragments of F0(— >) (for instance the two- variable fragment), modal fragments 
from ML(n,n~^) and against the additional assumption that reachability sets are effec- 
tively semilinear. Table [T] provides a summary of the main results (observe that whenever 
the reachability relation A- is effectively semilinear, each problem is decidable). Results 
in bold are proved in the paper, whereas unbold ones are their consequences; further- 
more each undecidability result holds for a fixed formula. We have investigated sev- 
eral types of borderlines to distinguish decidable problems from undecidable ones. For 
instance, MC^^*^(FO(— >)) restricted to the two- variable fragment is undecidable whereas 
MC^^'^(FO(— ?•)) restricted to the existential fragment is decidable (even though this prob- 
lem is at least as hard as the reachability problem for Petri nets). Similarly, on the modal 
side, MCURG(ML(n,n-i)) is decidable (a gain as hard as the reachability problem for Petri 
nets) whereas VAL^^'^(ML(n, D"^)) is undecidable. Despite the numerous results we ob- 
tained, we can identify the following rules of thumb. 

(1) Undecidability of MCU^^(FO(->)) is robust for numerous fragments of F0(— )•) includ- 
ing both universal and existential quantifications (a single alternation is enough). 

(2) Decidability results with simple restrictions such as considering bounded Petri nets or 
3F0(— 7>) lead to computationally difficult problems, some of them being non primitive 
recursive or as hard as the reachability problem for Petri nets (see Section I3.4p . 

(3) The above points are still relevant for modal languages. 
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Let us conclude the paper by mentionning possible continuations of this work. A first 
direction would be to investigate the model checking of fragments of second-order languages 
with respect to Petri net unlabelled reachability graphs. Knowing that MC^^*^(FO(— >)) 
is already undecidable, this makes sense only if one disallows first-order quantification, 
while keeping of course second-order quantification. A possible primitive atomic formula 

dcf 

could be for instance: X Y 4^ for all x G X, there is y G y such that x — ?> y 
and for all y ^ Y , there is x G X such that x — )• y. With this definition, it is easily 
shown that MC^^'^(MSO(^)) is undecidable, but many other fragments of MSO are worth 
investigating and comparing with the fragments considered in the paper. 

A second direction for extending this work would be to consider the geometrical prop- 
erties of the set of markings reachable from a given marking, taken as a subset of N". It is 
for instance trivial to determine whether there is at least one marking reachable from the 
initial marking and different from it. It is slightly more difficult to prove that there is at 
least one non-reachable marking. 

A third direction, diverging significantly from our approach, would be to investigate 
decidability questions about infinite unfoldings of nets instead of net reachability graphs. 
Unfolding Petri nets produces local event structures that induce in turn local trace languages 
|24j . Safe Petri nets, as opposed to unbounded Petri nets, may in particular be modelled 
with regular trace event structures [34J. The decidability of FO over regular trace event 
structures has been shown in [3l], as well as the decidability of MTL, a fragment of MSO 
where quantification is restricted to conflict-free sets of events. The proofs of these results 
rely strongly on regularity and do not extend easily to local event structures representing 
general Petri nets. 
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